Networked computers are vulnerable to malicious computer code attacks, such as worms, viruses and Trojan horses. As used herein, “malicious computer code” is any code that enters a computer without an authorized user's knowledge and/or without an authorized user's consent.
It is often desirable to scan data before allowing it into a computer or a computer network. Data can contain undesirable content, such as malicious code (e.g. a computer virus). Scanning an inbound data flow for matches to known malicious code signatures prior to allowing it into a computing environment can detect undesirable content, and either block the entry of the data, or modify the data so as to remove the undesirable content. Similarly, scanning an outbound flow of data prior to allowing it to leave a computing environment can detect and process malicious code originating from that organization's computer network.
Existing scanning engines perform both packet and stream-oriented scanning. To detect attacks that span multiple packets (i.e., at the stream level), such scanners must buffer the contents of previous packets in those cases when a signature matches the data within the current packet, but requires more data from subsequent (as-yet unavailable) packets to complete matching.
Therefore, these engines, only when necessary, buffer the contents of previous packets until such time that enough contiguous data is available for a signature to be applied, and either to determine that it has matched or mismatched conclusively.
Given the large number of flows that must be simultaneously processed by a network intrusion detection system (often, 50,000 or more connections must be dealt with simultaneously), the amount of data that can be buffered on behalf of any specific connection/flow is extremely small (typically only a couple of kilobytes). Unfortunately, there are many attacks—specifically buffer overflow attacks—which often require tens of kilobytes of contiguous stream data for identification. Any scanning engine that is incapable of buffering a sufficient amount of data for scanning will be unable to detect such an attack, or at least unable to detect such attacks reliably without a dramatically increased false positive rate. Subsequently, existing scanning engines are incapable of reliably detecting these types of attacks.
What is needed are methods, computer readable media and systems that enable performance-efficient caching of packet data to enable detection of the most complex threats, while minimizing the required amount of memory.